Great Britain introduced a draft new law on cybersecurity and stability to enhance current regulations in the cybersecurity field. The decision was announced in the king’s speech at the opening of parliament in response to the rising number of cyber attacks on British companies.
The bill includes a mandatory requirement for companies to report incidents of cyber attacks. This measure aims to improve the government’s awareness of such attacks and enable a timely response. Authorities believe the new norms will help close existing defense gaps and prevent cyber attacks on critical public services.
However, the proposed bill is less ambitious than the Ministry of Interior’s initial plans, which included mandatory incident reporting and seeking permission from authorities before paying a ransom. It also aimed to prohibit companies in critical infrastructure sectors from paying ransoms to discourage hackers from targeting such entities.
The current version of the law will apply only to “regulated entities” and not the entire private sector. This may include Managed Service Providers (MSPs) supporting IT infrastructure for small businesses. It remains unclear whether the new rules will extend to other third-party services involved in providing critical infrastructure services.
Critical organizations in the UK have faced numerous cyber attacks, such as the recent attack on Synnovis leading to the cancellation of essential medical procedures in London, including cancer treatments.
The current cybersecurity laws in the UK, known as the Network and Information Systems Regulations (NIS Regulations), were implemented in 2018 based on a Directive from the European Union. These regulations set security standards for critical infrastructure providers and digital services, as well as mandate reporting of cyber attacks.
However, the high threshold for mandatory incident reporting has kept the actual number of reports low. For instance, a NIS incident report for an electricity distribution network must involve an unplanned loss of supply affecting fewer than 50,000 customers for more than 3 minutes. Incidents that impact nationally significant services are also covered.